THE "TOP SEVEN"
The logging takes place in both the central system and the subsidiary systems. If the change documents are to be read for the attached subsidiary systems, the subsidiary systems must also be at the release and support package status specified in SAP Note 1902038. In addition, RFC users in their daughter systems need permission to read the change documents using the S_USER_SYS authorization object with the new activity 08 (Read the change document).
Other project settings should be defined on the Scope, Project Views, Project Employees, Status Values, Keywords, Document Types, Transport Orders, and Cross Reference tabs. After all entries have been made, you must secure the project. Do not forget to generate the project. The SPRO transaction allows you to edit the newly created customising project. The first call does not display the newly created project. To view it, click the Record button in the Work Inventory ( ), select your project, and then confirm your selection. After you have successfully created, generated, or edited the project, you will perform the PFCG transaction to create a customising role for the project. Select a name for the role, and then click Create Single Role. Now open the Menu tab and follow the path: Tools > Customising Permissions > Add > Insert Customising Activities. Then choose between IMG Project and View of an IMG Project. All transaction codes are added from the IMG project to the Role menu. Note that this can be a very large number of transactions and can therefore take longer. You can then use the Permissions tab to express the authorization objects as usual. Back up and generate the role.
Roles and permissions in SAP SuccessFactors often grow organically and become confusing
Authorizations in a company are usually not assigned to individuals, but to roles. A role describes jobs or positions within the organization. One or more persons can hold a role and thus have the access authorizations assigned to the role. The authorization profile (the number of authorizations) of a role contains all authorization objects that are required to execute the transactions. By means of a profile generator (transaction PFCG) the creation of the authorization profile can be automated in SAP.
Finally, the check logic provides for a row-level check within a table if you want to restrict access to the table contents depending on an organisational mapping. For example, if you want a user to view only the data from a table that affects the country where their work location is located, you must configure it accordingly. To do this, you define and activate organisation-relevant fields as an organisational criterion (see Tip 62, "Organisationally restrict table editing permissions"). To keep track of which users can access which tables, run the SUSR_TABLES_WITH_AUTH report. This report provides information about which user or single role has the S_TABU_DIS or S_TABU_NAM authorization objects. The result list shows all the authorised tables, their permissions, and their permission values.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
In this way, you can tailor your SAP role concepts to the content of the usage behaviour.
You can use the function block level permission check by setting the FUNC value in the RFC_TYPE field in the S_RFC authorization object.